Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:20072
Return-Path: <ilia@prohost.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4423 invoked by uid 1010); 16 Nov 2005 18:33:33 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 4408 invoked from network); 16 Nov 2005 18:33:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Nov 2005 18:33:33 -0000
X-Host-Fingerprint: 70.85.46.36 unknown  
Received: from ([70.85.46.36:43946] helo=prohost.org)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id FE/E6-07637-77B7B734 for <internals@lists.php.net>; Wed, 16 Nov 2005 13:33:27 -0500
Received: (qmail 4466 invoked from network); 16 Nov 2005 18:33:24 -0000
Received: from prohost.org (HELO ?127.0.0.1?) (70.85.46.36)
	by prohost.org with SMTP; 16 Nov 2005 18:33:24 -0000
Message-ID: <437B7B73.602@prohost.org>
Date: Wed, 16 Nov 2005 13:33:23 -0500
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Ron Korving <r.korving@xit.nl>
CC: internals@lists.php.net
References: <20051115221143.GA28082@hardened-php.net> <437B08C8.20804@iamjochem.com> <437B0C46.3080809@php.net> <75.66.07637.9497B734@pb1.pair.com>
In-Reply-To: <75.66.07637.9497B734@pb1.pair.com>
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] PHP 5.1.0 - sha256() and sha256_file() support
From: ilia@prohost.org (Ilia Alshanetsky)

Ron Korving wrote:
> I just read this news that an MD5 collision can now be done by anyone in 45
> minutes (avg) on a P4 1.6 GHz:
> http://it.slashdot.org/article.pl?sid=05/11/15/2037232&threshold=-1&tid=172&tid=93&tid=228
> http://www.stachliu.com.nyud.net:8090/collisions.html
> 
> MD5 as the standard for hashing is definately history. All the more reason
> for sha256- and alike-functions.

If you've read the article closely you'll know that while an impressive
trick, collisions cannot be generated arbitrarily. The program generates
both of the values that result in the same md5 hash . You cannot give it
an md5 and have it generate you a string with the same md5 hash, so md5
is still relatively safe.

Ilia